diff options
| author | David Zeuthen <zeuthen@google.com> | 2016-11-16 17:58:13 -0500 |
|---|---|---|
| committer | David Zeuthen <zeuthen@google.com> | 2016-11-21 15:30:56 -0500 |
| commit | 0155e6b158bdc5b3a442f16a5dc124d5dee9c71c (patch) | |
| tree | 6554794899e94fb8955d32bd18936a3ce914828c /libavb/avb_vbmeta_image.h | |
| parent | 18666abc5d8276a743111e6c3608e66f6c85fb51 (diff) | |
| download | avb-0155e6b158bdc5b3a442f16a5dc124d5dee9c71c.tar.gz | |
Enable operations on unlocked devices.
If a device is unlocked the expected behavior is that slots are
rejected if, and only if, they are invalid, not if they fail
verification.
Verification failure includes rollback index comparison failures,
signature mismatch, signature made by an unknown key, vbmeta structs
without any signature, and so on. Basically the spirit here is that an
unlocked device should be able to boot an image built on your local
workstation and e.g. signed with your own keys.
To easily enable such operations with avb_slot_verify() and
avb_ab_flow(), we introduce a boolean |allow_verification_error|
parameter in each function. If this is false everything is as before
and we'll abort verification as soon as something doesn't verify.
On the other hand, if |allow_verification_error| is true then we'll
keep going and only bail if e.g. the AVB metadata is invalid, _not_ if
it fails verification.
This is designed so callers can set |allow_verification_error| to true
exactly if the device is unlocked.
Callers of avb_slot_verify() where |allow_verification_error| is set
to true are guaranteed that AVB_SLOT_VERIFY_RESULT_OK is returned if,
and only if, the slot verified correctly.
Introduce AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR in addition to
AVB_AB_FLOW_RESULT_OK so avb_ab_flow() users can make a distinction
whether the image verified or not. The new value can only returned if
|allow_verification_error| is set to true.
In both cases - avb_slot_verify() and avb_ab_flow() - the bootloader
has enough information to determine if the slot to boot cannot be
verified. For example, the device can convey to the user that the OS
it's about to boot is unverified and request the user to click
through. On the other hand if the slot did verify (despite the device
being unlocked) the bootloader can nicely avoid such a kludge.
Add some new test cases to verify correct operation both if
|allow_verification_error| is true or false.
Test: New unit tests and all unit tests pass.
Test: Tested in UEFI-based bootloader in qemu.
Bug: 32949911
Change-Id: I218c8761c201d2e8e4dc73eaebfb1ac2742e0726
Diffstat (limited to 'libavb/avb_vbmeta_image.h')
| -rw-r--r-- | libavb/avb_vbmeta_image.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavb/avb_vbmeta_image.h b/libavb/avb_vbmeta_image.h index adcb4d4..363688e 100644 --- a/libavb/avb_vbmeta_image.h +++ b/libavb/avb_vbmeta_image.h @@ -197,6 +197,9 @@ typedef enum { AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH, } AvbVBMetaVerifyResult; +/* Get a textual representation of |result|. */ +const char* avb_vbmeta_verify_result_to_string(AvbVBMetaVerifyResult result); + /* Checks that vbmeta image at |data| of size |length| is a valid * vbmeta image. The complete contents of the vbmeta image must be * passed in. It's fine if |length| is bigger than the actual image, @@ -212,7 +215,8 @@ typedef enum { * |out_public_key_data| is non-NULL, it will be set to point inside * |data| for where the serialized public key data is stored and * |out_public_key_length|, if non-NULL, will be set to the length of - * the public key data. + * the public key data. If there is no public key in the metadata then + * |out_public_key_data| is set to NULL. * * See the |AvbVBMetaVerifyResult| enum for possible return values. * |